Question about URL's and DNS Queries

Carter Bullard carter at qosient.com
Thu Oct 22 16:05:36 EDT 2009


Hmmm,
So when you store the record in the DB, the whole binary record is
inserted, so the user data buffers are there.  You can then run
radump() against the database contents, doing:

    rasql -r mysql://user@host/db/table -w - -M sql="dport='53'" |  
radump -s........

But radump() doesn't have a DB interface, so poking the interpreted  
strings
into the DB isnot currently possible (using ra* programs).

Carter

On Oct 22, 2009, at 4:03 PM, mabartle at gmail.com wrote:

> Can I send this data to the db also???
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Carter Bullard <carter at qosient.com>
> Date: Thu, 22 Oct 2009 16:00:02
> To: Mark Bartlett<mabartle at gmail.com>
> Cc: Argus<argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Question about URL's and DNS Queries
>
> Hey Mark,
> I use it all the time to do policy verification/enforcement
> validation, etc....
>
> So, the radump() is just an example of how you can decode the user
> data buffers.  The real issue is that your Argus user data buffer
> capture
> size is big enough to get all the data you need.  For URL's you need  
> to
> grab 2K to get the longest URL?  For DNS, 256 bytes seems to be enough
> for most.  For DNS, the answer is generally bigger than the request,
> so size
> for the return answer (may need to be 1K?).
>
> And once you've done your analysis, you can throw away the user data
> buffers if you don't want to keep them around with rastrip(), or using
> the "-M dsrs='-suser,-duser' directive somewhere in your data  
> pipeline.
>
> Carter
>
> On Oct 22, 2009, at 1:57 PM, Mark Bartlett wrote:
>
>> Thanks Carter.. That did the trick, like it always does.....
>>
>> Anyone else using ARGUS for this purpose???
>>
>> What I am trying to do is 'verify' if a user is going to malicious
>> sites....  So we have another mechanism with a 'black list' of sorts
>> that might trigger on a URL or IP Address and I am trying to 'verify'
>> that the user has gone to a 'bad site" with the ARGUS data....  I  
>> will
>> also be 'pulling' the DNS info for the same 'purpose'.....
>>
>> mab
>>
>> On Thu, Oct 22, 2009 at 1:45 PM, Carter Bullard <carter at qosient.com>
>> wrote:
>>> Hey Mark,
>>> Try using radump().  It will decode the user data buffer according  
>>> to
>>> a set of rules, and printout tcpdump() like output for the contents.
>>> You will need to tell it how much of the user data buffer you want  
>>> it
>>> to decode, and that is specified using the "-s suser:128" option to
>>> specify the size.
>>>
>>> So:
>>>  radump -r argus.out -s +suser:128 +duser:128 - port 53
>>>
>>> Or something like that.
>>>
>>> Carter
>>>
>>> On Oct 22, 2009, at 1:36 PM, Mark Bartlett wrote:
>>>
>>>> Hello all,
>>>>
>>>> I'm trying to 'see' URLs and DNS queries using ARGUS...  I am using
>>>> the latest version of ARGUS and ARGUS-CLIENTS - Argus Version
>>>> 3.0.2...
>>>>
>>>> Here is what I get with the DNS Queries:
>>>>
>>>> [root at argus_server argustest]# ra -F /opt/ARGUS/CONF/excel.rarc -r
>>>> argus.out - port 53
>>>>
>>>> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]
>>>> =.............rea,d[16]=.............rea
>>>>
>>>> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]
>>>> =.............rea,d[16]=.............rea
>>>>
>>>> and if I do a capture with TCPDUMP I get this:
>>>>
>>>> [root at argus_server ~]# tcpdump -nni eth0 -s 258 port 53
>>>> tcpdump: verbose output suppressed, use -v or -vv for full
>>>> protocol decode
>>>> listening on eth0, link-type EN10MB (Ethernet), capture size 258
>>>> bytes
>>>> 13:15:23.482375 IP 192.168.50.138.32768 > 192.168.100.33.53:   
>>>> 57520+
>>>> A? reaper.gsirt.com. (34)
>>>> 13:15:23.483296 IP 192.168.100.33.53 > 192.168.50.138.32768:   
>>>> 57520*
>>>> 1/1/0 A 192.168.100.33 (64)
>>>>
>>>> So you can see it doesn't look like the suser data is 'right'???
>>>>
>>>> Here are my excel.rarc settings;
>>>>
>>>> RA_FIELD_DELIMITER=','
>>>> RA_PRINT_NAMES=none
>>>> RA_FIELD_SPECIFIER="srcid saddr daddr proto sport dport suser  
>>>> duser"
>>>>
>>>>
>>>> My argus.conf file has the following set:
>>>>
>>>> ARGUS_CAPTURE_DATA_LEN=256
>>>>
>>>> So question one:  Am I using the 'right' command???
>>>>
>>>> Question two:  Is there another 'setting' I need to configure to
>>>> have
>>>> more than 16 spaces in the suser/duser values??
>>>>
>>>> And Carter, I was thinking about going to FloCon10... Any idea what
>>>> the registration fee is???
>>>>
>>>> Thanks.
>>>>
>>>> mark
>>>>
>>>
>>>
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091022/819faa29/attachment.bin>


More information about the argus mailing list